Using Ubuntu Desktop: Log out can be found in the top right corner under the Power Icon. Click the ethereum user account and enter password.
Hardening SSH Access
Local node? You can skip this section on Hardening SSH Access.
Creating a new SSH Key
Create a new SSH key pair on your client machine (i.e. local laptop). Run this on your client machine, not remote node. Update the comment with your email or a comment.
ssh-keygen -t ed25519 -C "name@email.com"
You'll see this next:
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/<myUserName>/.ssh/id_ed25519):
Here you're asked to type a file name in which to save the SSH private key. If you press enter, you can use the default file name id_ed25519
Next, you're prompted to enter a passphrase.
Enter passphrase (empty for no passphrase):
Location: Your SSH key pair is stored in your home directory under ~/.ssh
File name: If your default keyname isid_ed25519, then
your private SSH key is id_ed25519
your public SSH key is id_ed25519.pub
Verify the contents of your private SSH key file before moving on.
This will allow you to log in with ssh ethereum-server rather than needing to pass through all ssh parameters explicitly.
Synchronizing time with Chrony
chrony is an implementation of the Network Time Protocol and helps to keep your computer's time synchronized with NTP.
Because the consensus client relies on accurate times to perform attestations and produce blocks, your node's time must be accurate to real NTP time within 0.5 seconds.
To install chrony:
sudo apt-get install chrony -y
To see the source of synchronization data.
chronyc sources
To view the current status of chrony.
chronyc tracking
Setting Timezone
To pick your timezone run the following command:
sudo dpkg-reconfigure tzdata
Find your region using the simple text-based GUI.
In the event that you are using national system like India's IST select:
Asia/Kolkata
This will be appropriate for all locales in the country (IST, GMT+0530).
Creating the jwtsecret file
A jwtsecret file contains a hexadecimal string that is passed to both Execution Layer client and Consensus Layer clients, and is used to ensure authenticated communications between both clients.
#store the jwtsecret file at /secretssudomkdir-p/secrets#create the jwtsecret fileopensslrand-hex32|tr-d"\n"|sudotee/secrets/jwtsecret#enable read accesssudochmod644/secrets/jwtsecret
The standard UFW - Uncomplicated firewall can be used to control network access to your node and protect against unwelcome intruders.
Configure UFW Defaults
By default, deny all incoming and outgoing traffic.
Consensus clients generally use port 9000 for communication with other network peers. Using tcp port 13000 and udp port 12000, Prysm uses a slightly different configuration.
Whitelisting, which means permitting connections from a specific IP, can be setup via the following command.
sudoufwallowfrom<yourclientmachine># Example# sudo ufw allow from 192.168.50.22
Local node? You can skip this section on installing Fail2ban.
Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.
To install fail2ban:
sudo apt-get install fail2ban -y
Edit a config file that monitors SSH logins.
sudo nano /etc/fail2ban/jail.local
Add the following lines to the bottom of the file.
Important reminder: Ensure you are logged in and execute all steps in this guide as this non-root user, ethereum.
A passphrase adds an extra layer of protection to your SSH private key. Everytime you connect via SSH to your remote node, enter this passphrase to unlock your SSH private key.
Passphrase is highly recommended! Do not leave this empty for no passphrase.
Do not forget or lose your passphrase. Save this to a password manager.
IMPORTANT: Make multiple backup copies of your private SSH key file to external storage, such as a USB backup key, for recovery purposes. Also backup your passphrase!
With SSH key authentication enabled, there's still the possibility to connect to your remote node with login and password, a much less secure and brute force-able attack vector.